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Abstract. The discrete logarithm is a problem that surfaces frequently in 
the field of cryptography as a result of using the transformation g a mod n. 
This paper focuses on a prime modulus, p, for which it is shown that the basic 
structure of the functional graph is largely dependent on an interaction be- 
tween g and p — 1. In fact, there are precisely as many different functional 
graph structures as there are divisors of p — 1. This paper extracts two of 
these structures, permutations and binary functional graphs. Estimates exist 
for the shape of a random permutation, but similar estimates must be created 
for the binary functional graphs. Experimental data suggests that both the 
permutations and binary functional graphs correspond well to the theoretical 
data which provides motivation to extend this to larger divisors of p — 1 and 
study the impact this forced structure has on the many cryptographic algo- 
rithms that rely on the discrete logarithm for their security. This is especially 
applicable to those algorithms that require a "safe" prime (p = 2q + 1, where 
q is prime) modulus since all non-trivial functional graphs generated using a 
safe prime modulus can be analyzed by the framework presented here. 



1. Introduction 

Just a few decades ago, cryptography was considered a domain exclusive to 
national governments and militaries. However, the computer explosion has changed 
that. Every day, millions of people trust that their privacy will be protected as 
they make online purchases or communicate privately with a friend. Many of the 
cryptographic algorithms they will use are built upon a common transformation, 
namely 

(1) g x = y mod n. 

For instance, Difhe-Hellman key exchange, RSA and the Blum-Micali pseudoran- 
dom bit generator all use This paper will examine some of the properties 
exhibited by this sort of transformation and provide theoretical and experimen- 
tal data describing how the interaction between g and the modulus impacts the 
behavior of this function. 



2. Terminology and Background 

In this paper, we will restrict the values of n to primes and examine mappings 

f:S = {l,2,...,p-l}^S 

of the form x t— > g x mod p, where p is a prime modulus. In some instances, it 
will prove to be useful to interpret the mappings as functional graphs. A functional 
graph is a directed graph such that each vertex must have exactly one edge directed 
out from it. The relationship between the mappings which interest us and functional 
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graphs is straightforward. Each element in S can be interpreted as a vertex. The 
edges are defined such that an edge (a, b) is in the graph if and only if f(a) = b. 

There are a number of statistics of interest derived from functional graphs. Fol- 
lowing the convention of 4 , which treats random mappings in detail, let / : S — > S 
be the transition function so that the edges in the functional graph can be expressed 
as the ordered pair (x, f{x)) for x, f[x) S S. By applying the pigeonhole principle 
and noting that the cardinality of S is p — 1 we can say that by starting at any 
random point uq and following the sequence u± = f(uo), 112 — f(u±), there must 
be a Ui = Uj after at most p iterations. Suppose ut occurs before Uj in the sequence 
of nodes. In this case, the tail length is the number of iterations from uq to Uj. The 
cycle length is the number of iterations from Ui to Uj . In more natural graphical 
terms, the cycle length is the number of edges (or equivalently nodes) involved in 
the directed path from Ui to itself. The tail length is the number of edges from uq 
to Ui. Additionally, a terminal node is one with no pre-image, or more formally, x 
is a terminal node if f~ 1 {x) = 0. A node is an image node if it is not a terminal 
node. Since each node has an out-degree of exactly one, each cycle with the trees 
grafted onto its nodes will form a connected component. 

The value of g plays a major role in determining the basic structure of the graph. 
In fact, as Theorem^formalizes, the interaction among g andp— 1 will effectively fix 
the in-degrees of the nodes in the graph. First, though, define an m-ary functional 
graph to be a graph where each node has in-degree of exactly zero or m. The proof 
of the following theorem is then straightforward. 

Theorem 1. Let p be fixed and let m be any positive integer that divides p — 1. 
Then as g ranges over all integers, there are <f>{^Er) different functional graphs 
which are m-ary produced by maps of the form f : x 1— > g x mod p. 1 Furthermore, 
if r is any primitive root modulo p, and g = r a mod p, then the values of g that 
produce an m-ary graph are precisely those for which gcd(a,p — 1) = m. 

Theorem Q] gives a strong indication that the graphs generated by have to be 
considered separately for different values of m. 

It should be noted, though, that there are some values of m which lead to 
completely predicable graphs. For instance, there is one (p — l)-ary graph that 
corresponds to g = 1 mod p. There is also one (^— )-ary graph that corresponds 
to g = —1 mod p. In general, however, an m-ary graph is not trivially predictable. 
This paper will restrict its focus to unary functional graphs (which will be referred 
to as permutations since they simply permute the numbers 1, p— 1) and binary 
functional graphs. The values of g which produce a permutation are precisely those 
which are primitive roots modulo p. 

In cryptography, it is common to look for primes where p — 1 has at least one 
large prime factor. For instance, the pseudorandom bit generator described by 
Gennaro in and mentioned in Section ^ requires the modulus to be of the form 
p = 2q + 1 where q is also prime. A prime of this form is known as a safe prime 
(q is also known as a Sophie Germain prime). These primes are of interest here 
not only because of their extensive use in cryptography, but also because p — 1 has 
only four divisors, namely 1, 2, q and 2q. It can be quickly verified that there is 
only one q-eny (g = —1 mod p) and one 2<7-ary (g = 1 mod p) graph generated. 
More importantly, there are (j>(q) permutations and <fi(q) binary functional graphs 



Throughout this paper, denotes the Euler phi funcion. 
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which represent the remaining values of g (since <fr(q) is q — 1). Thus, not only do 
safe primes provide large numbers of permutations and binary functional graphs, 
but every graph generated by a safe prime is either trivial (the graphs where g is 
either 1 or -1) or fits into the theoretical framework presented in Section [3] 



3. Theoretical Results 

In Theorem ^ it is shown that the in-degree of each node is dependent on the 
value of both g and p. This is clearly imposing a structure on any functional 
graphs generated using (JJJ. It seems reasonable, though, that a large collection 
of functional graphs generated by using JQ| as the transition function would tend 
toward exhibiting behavior similar to that of a collection of random functional 
graphs. At a minimum, a factorization for p—1 with many divisors would certainly 
seem to hide the structure imposed by Theorem ^ since the many divisors of p — 1 
would each contribute some graphs. Section 14. II will give evidence that this is not 
the case. However, the methods used to obtain the theoretical bounds for the 
random functional graphs can be extended to analyze m-ary graphs for specific m. 

While most of the parameters that are of interest depend on the exact graph 
generated, the number of image nodes can be computed directly from the values of 
g and p. The proof is again straightforward. 

Theorem 2. The number of image nodes in any m-ary graph is 

Theorem helps to quantify the repercussions of Theorem^and the restrictions 
on in-degree in m-ary graphs. The number of image nodes is a direct function of 
to which can greatly limit the shapes each graph can take on. None of the other 
parameters appear to have a generalization as convenient as the image nodes and 
will be treated as specific parameters in permutations and binary functional graphs. 



3.1. Random Functional Graphs. Flajolet and Odlyzko do a thorough analysis 
of functional graphs in 4 . While none of these results are original, Flajolet and 
Odlyzko demonstrate that all of these parameters can be estimated through a sin- 
gularity analysis of generating functions. This appears to be the first method that 
can be applied to all of these parameters. Their methods can then be adapted for 
any fixed value of m to estimate the parameters of interest for an m-ary graph. 
Specifically, the methods will be used to confirm some permutation results and to 
develop all of the binary functional graph results. The results from 0] are summa- 
rized below in Theorem 
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Theorem 3. The asymptotic values for the parameters of interest in a random 
functional graph of size n are: 



i) 



ivj 
v) 
vi) 
vii) 



viii) 

ix) 

2) 



Number of components 
Number of cyclic nodes 

Number of tail nodes 

Number of terminal nodes 
Number of image nodes 
Average cycle length 
Average tail length 

Maximum cycle length 
Maximum tail length 



In (2n) + 7 



n - yjixnjl + - 
e n 



(1 
\J irn 



e )n 



1 — exp 



y/nn/8 

ixn 
2 

j 0.78248v^ 
27m In 2 « 1.73746\/n 



, du 
u 



dv 



In part (J, 7 refers to the Euler constant which is approximately 0.57721566. 
The second order terms for parts 10), ijujl. and Ijmjl were not given in 0], but can 
be computed with a careful singularity analysis using precisely the same methods 
used there. 



3.2. Permutations. Predicting the behavior of the permutations is, in many ways, 
much easier than other m-ary graphs. The most important reason for this is that 
there are no terminal nodes or tail nodes. This follows quickly from the definition 
of a permutation as a unary functional graph and the fact that the sum of the 
in-degrees must be the same as the sum of the out-degrees. Each node has an out- 
degree of exactly one, and if any node were to have an in-degree of zero, then, by the 
pigeon-hole principle, at least one node must have an in-degree of more than one. 
This is not allowed so each node must have in-degree of exactly one. Furthermore, 
since every tail must contain at least one terminal node, this also implies that every 
node is cyclic. The parameters that can then be determined from the definition of 
a permutation are given below. 

Number of cyclic nodes n 

Number of tail nodes 

Number of terminal nodes 

Number of image nodes n 

Average tail length 

There are three non-trivial parameters of interest. They are expressed in Theorem^] 

Theorem 4. The asymptotic values for the number of components, the average 
cycle length as seen from a random node and the maximum cycle length in a random 
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permutation of size n have the following values: 

(i) Number of components 

(ii) Average cycle length 
Maximum cycle length 

(iii) 

Parts (Q) and Part (JuJ are fairly well known. Part ljTTT|) seems to have first been 
solved by Shepp and Lloyd in 1966 7 . An alternative solution and proof more 
similar to the methods used here is offered by Flajolet and Odlyzko in 



i=l 

n + 1 



1 — exp 



0.62432965n 



dv 



3.3. Binary Functional Graphs. While estimates for the parameters investi- 
gated here exist in literature for the random functional graphs and permutations, 
it does not appear similar estimates exist for binary functional graphs. However, 
the methods in 0] can be extended to develop these estimates. Imitating the meth- 
ods of 0], we first need to convert our ideas of a binary functional graph into 
corresponding generating functions. The machinery is fairly straightforward once 
we define the following as in 4 : 

BinFunGraph = set (Components) 

Component = cyclc(Nodc*BmaryTree) 

Binary Tree = Node + Node*set(BinaryTree, cardinality = 2) 

Node = Atomic Unit 

This implies that a binary functional graph is a set of components. Each component 
is a cycle of nodes with each node having an attached binary tree to bring its in- 
degree to two. A binary tree is either a node (terminal node) or a node with 
two binary trees attached. Finally, a node is simply an atomic unit. A moment's 
reflection should indicate that this natural specification does, in fact, specify a 
binary functional graph. Imitating the transformations in Section 2.1], the 
generating functions of interest are 

(3) f(z) = e c « = 



(4) c(z) = In 



1 - zb(z) 
1 

1 - zb(z) 



(5) b{z) = z+ 1 -zb\z) 

Here / generates the number of binary functional graphs, c generates the number 
of components, and b generates the number of binary trees of a given size. Solving 
the quadratic formula for JSJ, we can produce the following formulas for / and c 
which simplify some of the cases: 

(6) /(*) ! 



VI - 2z 2 

(7) c(z) = In - 1 

W VI - 2z 2 
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In order to compute asymptotic forms of any of the statistics of interest, we must 
first compute an asymptotic form for / to normalize results. The following deriva- 
tions give only a highlight of the methods used by Flajolet and Odlyzko. The 
interested reader is encouraged to see [3] 0] for detailed proofs. 

From equation (JfJJl it is clear that there is a singularity at z = 1/ y/2. Performing 
a singularity analysis 2 as in Section 2] , the asymptotic form for / falls out quickly 
as 

nn/2 

( 8 ) /(*) ~ -nm- 

In at least one case, there are some important second-order interactions between 
the error terms of the number of graphs and the appropriate statistic. In these 
cases, a more exact form of (jHJl must be used. Expanding one more term in the 
expansion of / gives 

2"/ 2 2™/ 2 _2"/ 2 (4n-l) 

y/im/2 AnyJ-Kn/2 An^/im/2 

In most cases, using this more precise expansion of / is not necessary and does not 
change the results. Therefore, in all but the necessary cases, will be used. 
We begin by deriving the results for the most simple parameters. 

Theorem 5. The asymptotic forms for the number of components, number of cyclic 
nodes, number of tail nodes, number of terminal nodes and number of image nodes 
in a random binary functional graph of size n, as n — > oo are 

i) Number of components — - — ^ ^ 

ii) Number of cyclic nodes y nn/2 — 1 

iii) Number of tail nodes n — y im/2 + 1 

iv) Number of terminal nodes n/2 

v) Number of image nodes n/2 

In part Q, 7 represents the Euler constant which is approximately 0.57721566. 
The highlights of the proofs as they differ from those in 0] follow. 

Proof. As in 0], the following bivariate generating functions need to be defined 
with parameter u marking the elements of interest. The generating functions for 
the number of components, number of cyclic nodes and number of terminal nodes 
are respectively: 

1 



(10) z ) — ex P ^ttln 

(11) &(«,*) = 



1 - zb(z) 



1 — uzb(z) 

<12) 



2 The analyses in this paper have been performed using the computer algebra program Maple 
and the packages created as part of the Algorithms Project at INRIA, Rocquencourt, France. The 
packages can be found online at http://pauillac.inria.fr/algo/librarics/softwarc.html 
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Imitating the methods in 0], the mean value generating function, is found 

by taking the partial derivative of £(u, z) with respect to u and evaluating at u = 1. 
This yields the following results 

(!3) 5!(z)= * h/ ' 



(14) S 2 (z) 



l-z&(z) V 1 -^ 2 ) 

z6(z) 
(l-zb{z)) 2 

,2 



( 15 ) S3(z)= a-2z 2 )3/ 2 - 

The forms in the statement of the theorem follow by expanding around the sin- 
gularity z — 1/ y2, applying singularity analysis as in 0] , and normalizing parts 10) 
and ijuj by (JHJ) and O by Q. Parts JmJ) and © follow from parts ijnj and Ipvjl 
respectively since the respective pairs must sum to n. Also note that part l(iv|l can 
also be derived in an elementary fashion from the definition of the binary functional 
graph. □ 

The asymptotic values for the average length of cycles and tails as seen from 
a random point in the graph are also interesting. The asymptotic forms of these 
values are given in Theorem 

Theorem 6. The expected values for the cycle size and tail length as seen from a 
random node in a random binary functional graph of size n are asymptotic to 

(i) Average cycle length y nn/8 

(ii) Average tail length \J nn/8 

Proof. In order to calculate the average cycle length and average tail length, the 
generating functions must be manipulated to account for each node in the cycle or 
tail. This can be done by using the same methods as in the previous proof, but on 
the component function and taking an additional derivative with respect to z to 
weight each cycle and tail by the nodes involved. Multiplying again by z replaces 
the factor lost in the differentiation and by 1/(1 — b(z)) cumulates over all of the 
components. This strategy is used to prove the result for average cycle size in 0]. 
More background on the method can be found there. 

Marking the appropriate elements, performing a singularity analysis of the two 
generating functions and normalizing by 2 n / 2 j{ji\J -rm/2), as done in the previous 
theorems, leads to the statement of the theorem. The additional factor of n in 
the denominator is needed to compensate for the fact that the parameters were 
estimated across all nodes in the graph and the goal is to determine them from any 
single random node in the graph. □ 

The final parameters that needs to be calculated are the average maximum cycle 
length and the average maximum tail length. 

Theorem 7. The asymptotic forms for the expected sizes of the largest cycle and 
the largest tail in a random binary functional graph of size n, as n — ► oo, are 



(i) Largest cycle 




o 



i -rxpl - / e~ u — ) 



u J 

(ii) Largest tail v^Tmln 2 - 3 + 2 In 2 « 1.73746\/n - 1.61371 



dv « 0.78248\M 
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Proof. The proof for part 10) result follows precisely the methods of g] with sub- 
stitution of the proper generating function /, and is therefore omitted. 

The proof for part JuJ follows a combination of g] Theorem 6] and Sections 
3-5]. Let b^ h '(z) be the exponential generating function for the number of binary 
trees with height at most h and f^(z) be the exponential generating function for 
the number of binary functional graphs with maximum tail length less than or equal 
to h, so that (as in Equations (41) and (42) of g]) 

fiH] ^ = l-zbW(z) 

and 

b^ h+1 \z)=z + ^z{b^{z)) 2 , bM(z) = z. 
Now, as in 2 Proposition 2] , note that 

b{z) ~ = -z (b{z) - (b(z) + bW(z) 

so if we let 

b(z)-bW(z) 
eh(z) = 2b(z) ■ 

then 

e h+1 {z) = (1 - Vl-2z 2 )e^(z)(l - e h (z)). 
Now we want to approximate eh(z) with a function of h and some e(z). If we let 
e = y/l — 2z 2 then we have 

e i+1 = (l-e)e i (l-e i ); e_i = 2. 

This is essentially the same recursion as in 2 , and as in [21 Lemma 5] , we can then 
"normalize" and "take inverses" to get the approximation 

(l-e) h+1 e 

< 16 » ■»» /-(!■!«)>+. • 

(The details of the error bounds proceed as in we omit them here.) 

The generating function associated to the average maximum tail length is (as in 
Equation (43) of g]) 

1 1 



s(*) = E 



h>0 



l-zb(z) l-zbW(z) 



and we proceed as in Equation (51) of g] to write 

2zb(z) e h (z) 



" l j " l-zfc(z) 1 



zi(z) ^ 1 - z6(z) + 2e h (z)zb(z) 

Putting this entirely in terms of e and h, and shifting the index of summation 
for convenience, we can write 

[ ] {) e ^l + (l-2e)(l-e)^ 

We approximate the sum with an integral, using Euler-Maclaurin summation. 
Taking the integral and noting that ln(l — e) ~ — e as e — ► 0, we finally get: 

(18) H(z)« -^i-iLln(2-3£ + 2 e 2 ). 
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The next step is to substitute e = yl — 2z 2 into (|18fl and do the singularity 
analysis, which gives us the statement of the theorem. □ 

4. Observed Results 

In |S] , heuristics and observed values for the number of small cycles (fixed points 
and two-cycles) in graphs of the type investigated here are given. Our methods 
build on this to generate experimental data for the parameters described by the 
theoretical predictions in Section The method of data collection was straightfor- 
ward. A prime was chosen as the modulus and then for each g £ {1,2, 3, ...,p— 1}, 
the corresponding map or permutation was generated. The results were then com- 
puted as averages over all p — 1 graphs observed. The permutations and binary 
functional graphs were noted and their results were also tabulated separately. In 
this manner, the data can be examined in its complete form over all graphs and 
individually over the permutations and binary functional graphs. The generation 
and analysis of each of the graphs was handled by C++ code written by the first 
author. 

The primes chosen for these calculations were 

100043 = 2 • 50021 + 1, 

100057 = 2 3 • 3 ■ 11 • 379 + 1, and 

106261 = 2 2 • 3 • 5 ■ 7- 11 • 23+ 1. 

The total number of graphs, permutations and binary functional graphs can be 
computed using Theorem ^ and are shown in Table ^ The combined results of 





100043 


100057 


106261 


Permutations 


50020 


30240 


21120 


Binary Functional Graphs 


50020 


15120 


10560 


Total Functional Graphs 


100042 


100056 


106260 



Table 1. The number of permutations, binary functional graphs 
and total functional graphs associated with p = 100043, p — 
100057, and p = 106260. 



all functional graphs will be examined first in Section 14.11 where the observed re- 
sults will be compared to the theoretical framework for random functional graphs 
given in Theorem [3] In Section l4~2l the observed results for the permutations will 
be compared to the theoretical results given in Theorem Finally, the observed 
results for the binary functional graphs will be examined in Section 14.31 Theo- 
rems [S] through [7| will provide the theoretical predictions for these values. Since 
the terminal nodes and tail nodes can be directly computed from the image nodes 
and cyclic nodes, including them in the collected data does not add any insight. 
For this reason, they have both been excluded from the analysis conducted in the 
following sections. Appendix Ogives some of the interesting extremal data such as 
the longest cycle observed for each prime. 
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4.1. Combined Results. It would seem that by combining better than one hun- 
dred thousand functional graphs generated by Q , the results would tend toward a 
random functional graph. Theorem^shows that the modular exponentiation func- 
tion imposes some structure onto the functional graphs, but especially if p — 1 has a 
complex factorization, the large number of graphs might be thought to approach a 
lack of structure. However, as Table [3 clearly shows, these graphs are not tending 
toward a random functional graph. 





100043 


100057 


106261 


Observed 


Error 


Observed 


Error 


Observed 


Error 


Components 


9.235 


44.481% 


7.603 


18.947% 


6.742 


4.983% 


Cyclic Nodes 


50271.600 


12578.567% 


30399.400 


7574.478% 


21268.600 


5110.130% 


Image Nodes 


75029.000 


18.644% 


47838.800 


24.363% 


69435.300 


3.374% 


Avg Cycle 


25088.934 


12557.883% 


15249.500 


7593.148% 


10629.500 


5103.529% 


Avg Tail 


197.951 


0.130% 


114.215 


42.380% 


92.590 


54.674% 


Max Cycle 


31320.700 


12555.466% 


19027.821 


7587.860% 


13259.600 


5098.564% 


Max Tail 


271.408 


50.613% 


217.842 


60.363% 


202.581 


64.232% 



Table 2. The observed results for the three primes over all func- 



tional graphs generated and the corresponding percent errors. 



4.2. Permutation Results. The results in Section [3] and Section F1~T1 imply that 
the graphs should be split based on the value of to, or the possible in-degrees of 
each node. The results of looking at only the values of g that were a primitive root 
modulo p (permutation graphs) can be found in Table 01 





100043 


100057 


106261 


Observed 


Error 


Observed 


Error 


Observed 


Error 


Components 


12.081 


0.083% 


12.054 


0.306% 


12.126 


0.205% 


Avg Cycle 


49980.551 


0.082% 


50191.352 


0.326% 


53105.104 


0.048% 


Max Cycle 


62395.488 


0.102% 


62627.745 


0.256% 


66245.807 


0.144% 



Table 3. The observed results for the three primes over the per- 
mutations and the corresponding percent errors. 



The percent error here is nearly zero in every instance. This seems to indicate 
that there are no obvious structural differences between a random permutation and 
a permutation generated by the process used here. 

4.3. Binary Functional Graph Results. The binary functional graphs should 
prove more interesting than the permutations examined in the previous section. 
Unlike permutations, binary functional graphs do not appear to have been previ- 
ously studied in detail. The statistics derived from the binary functional graphs 
and the error when compared to the results derived in Section 13.31 can be found in 
Table H 
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100043 


100057 


106261 


Observed 


Error 


Observed 


Error 


Observed 


Error 


Components 


6.389 


0.047% 


6.364 


0.437% 


6.370 


0.810% 


Cyclic Nodes 


395.303 


0.029% 


395.858 


0.105% 


408.433 


0.217% 


Image Nodes 


50021 


0% 


50028 


0% 


53130 


0% 


Avg Cycle 


198.319 


0.056% 


197.766 


0.230% 


202.651 


0.795% 


Avg Tail 


197.961 


0.125% 


197.550 


0.339% 


202.422 


0.907% 


Max Cycle 


247.261 


0.094% 


247.302 


0.082% 


256.986 


0.754% 


Max Tail 


541.827 


1.115% 


549.588 


1.145% 


566.370 


1.744% 



Table 4. The observed results for the three primes over all binary 



functional graphs generated and the corresponding percent errors. 



The number of image nodes came out exactly as expected and predicted by The- 
orem|21 However, in many other cases the results were nearly as good. The relative 
size of the error follows the number of binary functional graphs for each prime. 
This is especially worth noting for p — 100043 which has over fifty thousand binary 
functional graphs while 100057 and 106261 have approximately fifteen thousand 
and ten thousand respectively. Since having more graphs appears to push the re- 
sults closer to those derived in Section 1531 this seems to further support the claim 
that the results hold for any binary functional graph produced by our mapping. 



5. Conclusions and Future Work 

The transformation used here to generate functional graphs and permutations 
is an exceedingly important transformation in cryptography. If the output of the 
function were to fall into a predictable pattern, it could be an exploitable flaw in 
many algorithms considered secure today. For instance, the average cycle length 
seems particularly important for pseudorandom bit generators since, in many cases, 
it relates directly to the predictability of the pseudorandom bit generator. As 
Theorem demonstrates, the use of repeatedly forces a non-trivial structure 
onto the graphs generated. This is certainly worth investigating as any imposed 
structure may be open to an exploit. 

The advantage of using a safe prime is that every non-trivial graph can be an- 
alyzed by the theoretical framework laid out in this paper. Their use is also very 
prevalent in cryptographic applications. As mentioned above, the pseudorandom 
bit generator specified in requires the use of a safe prime to defend against other 
attacks. However, the methods used for binary functional graphs in Section EPl 
can and should be extended to larger values of m. In an ideal case, they should be 
extended in the general case for an m-ary graph that can be specified by 

FunctionalGraph = set (Components) 

Component = cycle(Node*Set(Tree, cardinality = m — 1)) 

Tree = Node + Node*set(Tree, cardinality = m) 

Node = Atomic Unit 
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The associated generating functions for these functional graphs would be 



where f(z) is the exponential generating function associated to the functional 
graphs, c(z) is the exponential generating function associated to the connected 
components and t(z) is associated to the trees. The methods in Section I3~31 could 
also be extended to obtain values for additional parameters such as the maximum 
tail length. 

This paper has focused on the graphs generated when the modulus is prime. In 
practice, though, this is not always the case. For this reason, it could be worthwhile 
to attempt to extend the type of analysis done here to a composite modulus. 

While the data generated for this project appears to confirm that the graphs do 
tend toward the shape and structure of a random graph of the appropriate type, no 
data was collected on the distribution of the different parameters. This data could 
help to give a clearer picture of how closely individual graphs may be expected to 
exhibit the characteristics of a random graph, especially given the observation that 
primes with a larger number of binary functional graphs seem to conform better to 
prediction on the average. The methods used in pQ would seem to be potentially 
helpful here. 



For p = 100043, the longest cycle observed was 100042 which occurred for two 
different values of g. They were g = 20812 and g = 94034. The longest tail had a 
length of 1448 and was observed when g = 89339. There were five instances where 
the graphs contained no cycles longer than one which occurred for g = 1, 72116, 
91980, 95997, and 100042. 

The graphs generated by p = 100057 had an overall longest cycle of 100052 when 
g = 58303. The longest tail observed was 1589 when g = 18115. There were also 
26 different values of g that produced a graph that did not have a cycle longer than 
one. 

The largest cycle observed in graphs generated using p = 106261 was 106257 
when g = 102141. The longest tail was 35822 when g = 1480. There were 92 
different values of g that produced graphs with no cycles longer than a fixed point. 
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